Skip to content
/ Linux-Volatile-Memory-Forensics Public

This project is a detailed technical report and practical guide covering the methodologies and tools used for Volatile Memory (RAM) Forensics on Linux operating systems. It is structured to provide both foundational knowledge and a step-by-step procedure for conducting a forensic investigation in a digital security context.

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Hatim-Bousseta/Linux-Volatile-Memory-Forensics

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LINUX_MEMORY_FORENSICS.pdf
LINUX_MEMORY_FORENSICS.pdf
 
 
README.md
README.md
 
 

Repository files navigation

Linux-Volatile-Memory-Forensics

This project is a detailed technical report (french) and practical guide covering the methodologies and tools used for Volatile Memory (RAM) Forensics on Linux operating systems. It is structured to provide both foundational knowledge and a step-by-step procedure for conducting a forensic investigation in a digital security context.

Features & Focus In-Depth Theory: The core concepts of Digital Forensics and the unique challenges posed by volatile memory.

Practical Methodology: Provides a structured, two-part process for memory acquisition and analysis tailored for the Linux environment.

Tooling Emphasis: Focuses on essential open-source tools such as LiME (Linux Memory Extractor) for acquisition and the Volatility Framework for post-acquisition analysis.

Verification and Reporting: Steps for verifying evidence integrity (hashing) and presenting findings in a forensically sound manner.

Part 1: Introduction (Foundations)

  1. Digital Forensics: Defining the field, principles, and legal framework.

  2. Volatile Memory: Explaining the nature of RAM and the critical artifacts it holds (e.g., encryption keys, live network connections, running processes).

Part 2: Main Steps for Forensic Analysis on Linux (Methodology)

  1. Volatile Memory Acquisition: Detailed instructions and best practices for creating a raw memory dump using tools like LiME, prioritizing minimal system impact and evidence preservation.

  2. Volatile Memory (RAM) Analysis: Practical application of the Volatility Framework, including Linux-specific plugins for process listing, network analysis (netscan), command history extraction (linux_bash), and rootkit detection.

Part 3: Conclusion (Validation & Application)

  1. Verification and Testing: Discussing checksum verification, cross-validation of findings, and ensuring the repeatability of the analysis process.

  2. Practical Investigation: An application scenario or case study demonstrating the end-to-end investigation and the generation of actionable forensic conclusions.

To follow the practical sections of this guide, you will primarily need:

A Linux environment (Target System or VM)

About

This project is a detailed technical report and practical guide covering the methodologies and tools used for Volatile Memory (RAM) Forensics on Linux operating systems. It is structured to provide both foundational knowledge and a step-by-step procedure for conducting a forensic investigation in a digital security context.

Topics

memory forensics volatility3

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published